CVE-2019-1679 — Server-Side Request Forgery in Cisco Expressway Series

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

0.1%

top 76.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Expressway Series Cisco Telepresence Conductor Cisco Telepresence Video Communication Server +2 more

Timeline

PublishedFeb 7

Latest updateMay 13

Description

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attack…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages5 packages

▶NVDcisco/telepresence_video_communication_server< x12.5

▶CVEListV5cisco/cisco_telepresence_video_communication_serverunspecified — XC4.3.4

▶NVDcisco/telepresence_conductor< xc4.3.4

▶CVEListV5cisco/cisco_expressway_seriesunspecified — XC4.3.4

▶CVEListV5cisco/cisco_telepresence_conductorunspecified — XC4.3.4

🔴Vulnerability Details

GHSA

GHSA-f4vr-c276-c5cm: A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS)↗2022-05-13

▶

CVEList

Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server REST API Server-Side Request Forgery Vulnerability↗2019-02-07

▶

📋Vendor Advisories

Cisco

Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server REST API Server-Side Request Forgery Vulnerability↗2019-02-06

▶